This release of JBEAP for Red Hat Enterprise Linux 4 contains the JBoss
Application Server and JBoss Seam. This release serves as a replacement to
JBEAP 4.2.0.GA.

The updated packages address the following security vulnerabilities:

* the JFreeChart component was vulnerable to multiple cross-site scripting
(XSS) vulnerabilities. An attacker could misuse the image map feature to
inject arbitrary web script or HTML via several attributes of the chart
area. (CVE-2007-6306)

* a vulnerability caused by exposing static java methods was located within
the HSQLDB component. This could be utilized by an attacker to execute
arbitrary static java methods. (CVE-2007-4575)

* the setOrder method in the org.jboss.seam.framework.Query class did not
properly validate user-supplied parameters. This vulnerability allowed
remote attackers to inject and execute arbitrary EJBQL commands via the
order parameter. (CVE-2007-6433)

All users are advised to upgrade to this release of JBEAP, which addresses
these vulnerabilities.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.